Key Holdings in the In re iPhone Application Dismissal Order

The United States District Court for the Northern District of California recently dismissed with prejudice most claims asserted by consumer plaintiffs in In re iPhone Application Litigation, including causes of action under the Stored Communications Act (“SCA”), the Wiretap Act, and other federal and state laws. Plaintiffs asserted that Apple and a group of “Mobile Industry Defendants,” including Google, violated federal and state laws by allowing third party applications for “iDevices”—the iPhone, iPad, and iPod Touch—to collect and use plaintiffs’ personal information without consent. This personal information included geolocation information, the iPhone’s unique device identifier (UDID), and other consumer information, such as age or gender. Two separate putative classes of plaintiffs brought claims against Apple—an iDevices Class and a Geolocation Class. With respect to defendant Apple, Judge Lucy H. Koh dismissed all of plaintiffs’ claims with prejudice, except for two California state law claims. All claims against the Mobile Industry defendants were dismissed with prejudice.

In rejecting the SCA and Wiretap claims, Judge Koh provided a thorough analysis of why plaintiffs’ theories did not comport with these complex and specific statutes. If followed by other courts, this precedent could have a far-reaching effect in limiting plaintiffs’ ability to use these federal statutes to pursue alleged harms arising out of online data collection and use. We examine Judge Koh’s discussion in some detail after the jump.

SCA: Mobile Devices Are Not “Facilities” and Data Was Not Held In “Electronic Storage”

The court dismissed plaintiffs’ SCA claims, holding that mobile devices are not “facilities” through which an “electronic communication service” is provided. As an independent ground for dismissal, Judge Koh also held that the data at issue was not held in “electronic storage,” as is required to state a claim under the statute. Generally, the SCA prohibits unauthorized access to or disclosure of electronically stored communications, such as emails. It creates a private right of action and provides for statutory damages where a person (1) intentionally accesses without authorization “a facility” through which an electronic communication service is provided and (2) “obtains, alters, or prevents authorized access” to electronic communications while they are in “electronic storage.”

The Geolocation Class claimed that Apple violated the SCA by accessing geolocation data without permission because Apple purportedly collected location data from plaintiffs’ iPhones after they had turned “off” a “Location Services” preference. The iDevices Class asserted a similar claim, alleging that Google and other Mobile Industry Defendants violated the SCA by collecting location information from plaintiffs’ iPhones without permission while the information was in “electronic storage.”

In rejecting these theories of SCA liability, Judge Koh held that a mobile device, such as an iPhone, is not a “facility” through which an electronic communication service is provided. The court observed that “the computer systems of an email provider, bulletin board system,” or ISP are “uncontroversial examples of facilities that provide electronic communications services,” but that “less consensus surrounds the question presented here: whether an individual’s computer, laptop, or mobile device fits the definition of a ‘facility through which an electronic communications service is provided.’” In holding that mobile devices were not “facilities” under the SCA, the court agreed with the reasoning in Crowley v. Cybersource Corp, which had held that personal computers were not “facilities,” in part because a contrary interpretation would “render other parts of [the SCA] illogical.”

In addition, Judge Koh held that geolocation information stored on users’ iPhones was not held in “electronic storage,” as that term is defined by the SCA. The court was persuaded by the reasoning in In re DoubleClick, Inc. Privacy Litigation, which noted that “[the SCA] only protects electronic communications stored ‘for a limited time’ in the ‘middle’ of a transmission, i.e. when an electronic communication service temporarily stores a communication while waiting to deliver it.” Here, by contrast, plaintiffs had alleged that Apple was storing geolocation information on mobile devices for up to one year—a period of time that cannot be considered “temporary” or “immediate.” Nor had plaintiffs alleged that defendants “accessed the data at a time when the data was only in temporary, intermediate storage,” as they were required to do.

The Wiretap Act: Communication “Contents”

The Wiretap Act generally prohibits the interception of the contents of communications, and defines the “contents” as “any information concerning the substance, purport, or meaning of that communication.” Like the SCA, the Wiretap Act creates a private right of action and provides for statutory damages.

In this case, plaintiffs alleged that Apple violated the Act by collecting geolocation information, using GPS data, cell phone towers, and Wi-Fi networks to “develop an expansive database of information about the geographic location of cellular towers and wireless networks throughout the United States.” In dismissing plaintiffs’ Wiretap Act claim, the court held that the allegedly intercepted automatically-generated geolocation information was not the “content” of a communication. Judge Koh cited Ninth Circuit authority that the “contents” of communications do not include automatically generated information, such as the time of origination or duration of a phone call, because “‘content’ is limited to information the user intended to communicate, such as the words spoken in a phone call.” Here, too, the data at issue could not be content, because “it was generated automatically, rather than through the intent of the user.”

Other Claims

The court dismissed most of plaintiffs’ other causes of action, including claims under the Computer Fraud and Abuse Act, the California Constitution, negligence, trespass, and conversion. However, the court denied Apple’s Motion to Dismiss state claims brought under California’s Consumer Legal Remedies Act and Unfair Competition Law.

About the Covington Data Privacy and Cybersecurity group

Repeatedly ranked as having one of the best privacy practices in the world, Covington combines exceptional substantive expertise with an unrivaled understanding of the IT industry, and of e-commerce and digital media business models in particular. Read More